Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-cq7q-5c67-w39w

GitHub Security Advisory

matrix-appservice-irc vulnerable to IRC mode parameter confusion

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact

IRC allows you to specify multiple modes in a single mode command. Due to a bug in the underlying matrix-org/node-irc library, affected versions of matrix-appservice-irc perform parsing of such modes incorrectly, potentially resulting in the wrong user being given permissions.

Mode commands can only be executed by privileged users, so this can only be abused if an operator is tricked into running the command on behalf of an attacker.

### Patches

The vulnerability has been patched in matrix-appservice-irc 0.35.0.

### Workarounds

Refrain from entering mode commands suggested by untrusted users. Avoid using multiple modes in a single command.

### References

- https://matrix.org/blog/2022/09/13/security-release-of-matrix-appservice-irc-0-35-0-high-severity

### Credits

Discovered and reported by [Val Lorentz](https://valentin-lorentz.fr/).

### For more information

If you have any questions or comments about this advisory email us at [[email protected]](mailto:[email protected]).

Affected Packages

npm matrix-appservice-irc
Affected versions: 0 (fixed in 0.35.0)

Related CVEs

CVE-2022-39202

Key Information

GHSA ID
GHSA-cq7q-5c67-w39w
Published
September 15, 2022 3:26 AM
Last Modified
October 7, 2022 4:25 PM
CVSS Score
5.0 /10
Primary Ecosystem
npm
Primary Package
matrix-appservice-irc
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 14, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.